Friday, January 10, 2014

A New Way to Sue Health Care Professionals Using HIPAA?

Walgreens
has been ordered to pay $1.44 million in a lawsuit brought against it for a
violation of the Health Insurance Portability and Accountability Act (HIPAA) by
one of its pharmacist employees.While
this may not sound like a big deal, this case represents only the second time
HIPAA has been successfully used this way in court and it could have serious
repercussions on the health care system.

The
story begins when a Walgreens pharmacist looked up the medical records of her
husband’s ex-girlfriend, whom she suspected gave her husband an STD. Apparently
she found what she was looking for and told her husband about it, who then sent
a text message to his ex and informed her that he knew all about her results.

The
ex did not appreciate this, and told the Walgreens pharmacy about what happened.At some point after that, the pharmacist
accessed the ex’s medical records again, and eventually the ex filed a lawsuit
against Walgreens, claiming it was responsible for the HIPAA violation because
it failed to properly educate and supervise its employee.

Walgreens
argued what the pharmacist did fell outside of her job duties and therefore it
was not responsible for the breach.The
judge and jury disagreed, and the jury decided Walgreens was responsible for
80% of the damages owed the plaintiff (so I guess that means the total judgments
for the plaintiff was $1.8 million). Walgreens has already said it will appeal.

As
I said above, it may not sound like a big deal, but it potentially is.

Although
HIPAA has a mechanism by which health care providers can be subject to federal
civil and criminal penalties for violations, conventional legal wisdom says
HIPAA does not allow for a “private cause of action”, meaning a private
individual cannot sue a health care provider for breaching their medical
privacy.

Or
at least that’s how HIPAA used to be interpreted, before Neal Eggeson, the
enterprising young attorney who successfully argued the only two cases in which
HIPAA has been used in this fashion, came along.

Mr.
Eggeson, who specializes in privacy law and medical malpractice, in an
interview with Lawyers.com, said “10 years into the HIPAA privacy rule, I
should not be the only attorney in the country doing this type of work.”

But,
recently, a pathologist reader who is also an attorney wrote me and said the
manner in which HIPAA was used in the Walgreens case was actually not novel
after all.

The
reader also stated he believes there will likely be a lot more of these
HIPAA-type privacy lawsuits “as more and more plaintiff attorneys realize
pharmacies, hospitals, and other health organizations are vulnerable and have
deep pockets.”

After
I received the reader’s email, I reached out to Neal Eggeson, the lawyer who
successfully argued the Walgreens case and asked him for clarification
regarding his case and how he used HIPAA.He was kind enough to respond.

My
reader’s thoughts on the article are below, followed by Mr. Eggeson’s. Many
thanks to both of them for helping me understand both this case and how HIPAA
is being used in civil lawsuits better.

The
reader:

“As
a multiple personality professional, I have a great amount of respect for
HIPAA, its use as a shield for privacy data, and its use as a sword in
litigation.As such, even though the
federal HIPAA statutes may not have a specific private right of action, I
believe pathologists and other health care providers should recognize that
breach of privacy litigation, both health care related and non-health care
related, has been around for many years as a private (common law, sometimes
statutory law) right of action.

What
plaintiffs commonly have been doing in recent years is to use a HIPAA violation
as the underlying predicate offense in their breach of privacy, defamation,
negligence, breach of fiduciary duty, or other likewise suit.Since HIPAA does not have a private right of
action, common folks like you and I cannot use HIPAA directly in a privacy
lawsuit, only the government can sue with HIPAA (civilly and criminally I might
mention).What private citizens have
been doing, though, is proving to the court that if a HIPAA violation occurred,
then this violation serves as a breach of duty by the health care professional
in negligence cases, fiduciary duty cases, and straight forward violation of
privacy cases.

…Doe
v. Quest in the Missouri Supreme Court, where the court allowed a breach of
fiduciary claim to stand verses Quest after their phelebotomist wrongly faxed
HIV results without the express permission of Mr. Doe.This case used overtones of HIPAA and similar
state privacy laws, like state HIV privacy laws, as the underlying predicate
(underlying wrong) in the suit.Additionally,
I easily found three other cases where HIPAA violations were used as the
underlying predicate for private rights of action in state law privacy
violation claims.

The
first is a federal case (attached) from the Eastern District of Missouri by Judge
Stephen Limbaugh (he is either the brother or cousin of El Rushbo), I.S v
Washington Univ (E.D. Mo 2011).In this
case, Judge Limbaugh recognized that there was no individual private right of
action under HIPAA, but that under Missouri law, HIPAA could be used to provide
a standard of care from which to judge a defendant’s actions, and that HIPAA
could also be used to establish a legal duty of care.States vary in their laws, so every state may
not agree with Missouri state law, but many do.

Second,
in a 2006 state court case (attached), the North Carolina Court of Appeals
allowed HIPAA to be used to demonstrate the standard of care element in a
psychiatric privacy case where the plaintiff sued for negligent infliction of
emotional distress.If one can use HIPAA
as the standard of care and show HIPAA was violated, then the next logical step
is that the health care professional breached a duty owed to the plaintiff by
violating the standard of care.After
that, all that remains is proving damages.

Finally,
in a more recent West Virginia Supreme Court case, a case that cites many
underlying cases from other states in a survey of the law, the Court found that
HIPAA does not preempt state laws and that HIPAA may be used as the basis of a
negligence claim (used as the standard of care to which a breach of duty is
judged). See R. K. v St. Mary’s Med Ctr, (2012) attached.

I
hope you find this discussion interesting.HIPAA is a very complex and tricky set of laws and regulations, and I
fear litigating HIPAA will become the next new cottage industry for plaintiff
attorneys. The more pathologists and physicians know about HIPAA, the better.”